Newsletters
News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
This ad will display for the next 20 seconds. Click for more information, or
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
World Wide Web
Tame your scariest paperwork. Find Out How
Average Rating:
Rate this article:  
Android Security Flaw Allows Malicious Code To Go Unseen
Android Security Flaw Allows Malicious Code To Go Unseen

By Jennifer LeClaire
July 5, 2013 10:32AM

    Bookmark and Share
"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified," said Bluebox Security CTO Jeff Forristal. "This vulnerability makes it possible to change an application's code without affecting the cryptographic signature."
 



Talk about the Android operating system being less secure than other mobile platforms is nothing new. Neither are studies that set out to prove the point.

But a report from start-up Bluebox Security's research team, Bluebox Labs, is highlighting a recently discovered vulnerability in Android's security model that allows a hacker to modify APK code without breaking an application's cryptographic signature. The result: the bug can turn any legitimate application into a malicious Trojan without an app store, the phone or the end user ever discovering it.

"The implications are huge!" said Jeff Forristal, Bluebox chief technology officer, writing in a blog post. "This vulnerability, around at least since the release of Android 1.6 (codename: "Donut"), could affect any Android phone released in the last 4 years -- or nearly 900 million devices -- and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."

A Slick Move

According to Forristal, here's how it works: The vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, allowing for APK code modification without breaking the cryptographic signature.

"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified," he explained. "This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application -- essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been."

Forristal noted that details of Android security bug 8219321 were responsibly disclosed through Bluebox Security's close relationship with Google in February 2013. It's up to device manufacturers to produce and release firmware updates for mobile devices -- and for users to install these updates.

Risk Overblown?

As Forristal sees it, the risk is great for both the individual and the enterprise because a malicious app can access individual data, or gain entry into a corporation. He said the Trojan could give bad actors access to the Android system and all apps, data, e-mail, text messages and documents, as well as retrieve all stored account and service passwords.

What's more, he said it can "essentially take over the normal functioning of the phone and control any function," including making arbitrary phone calls, send arbitrary SMS messages, turning on the camera, and recording calls. Hackers could even turn the phone into a zombie to create a botnet.

Should Android users be scared? Roger Entner, a wireless industry analyst at Recon Analytics, doesn't think so. He told us vulnerabilities in Android do exist, but many times security vendors are offering solutions for problems that don't exist on a wide scale.

"Some security companies publish case studies on what could happen and say you need their antivirus solution even though the virus has never been seen in the wild," Entner said. "They are offering a vaccine to a virus that they are making themselves and saying 'this could be out there.' We haven't seen viruses or malware even in an insignificant fashion in the wild."
 

Tell Us What You Think
Comment:

Name:

Thomas Swift:

Posted: 2013-07-08 @ 2:05am PT
"It's up to device Relevant Products/Services manufacturers to produce and release firmware updates for mobile devices -- and for users to install these updates." what percent of Android phones from Pay-as-you-go vendors relieve updates and patches? How many actually use anti-virus?

Jon Anderson:

Posted: 2013-07-05 @ 11:14am PT
Roger Entner, sir, you are possibly years behind in security news. Here's a nicely compiled list of in the wild android malware:

http://forensics.spreitzenbarth.de/android-malware/

"We haven't seen viruses or malware even in an insignificant fashion in the wild."

Guess we know which company to avoid!





 World Wide Web
1.   Zillow Buys Trulia for $3.5 Billion
2.   'Right To Be Forgotten': 26 Questions
3.   Twitter Admits to Diversity Problems
4.   Internet of Things Comes to DIYers
5.   Social Media Haters Speak Up


advertisement
Radical.FM's Freemium Biz Model
Online radio startup asks for donations.
Average Rating:
Facebook Social Experiment Irks Us
Secretive test was legal, but ethical?
Average Rating:
'Right To Be Forgotten': 26 Questions
EU regulators probe Google, others.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Researchers Working To Fix Tor Security Exploit
Developers for the Tor privacy browser are scrambling to fix a bug revealed Monday that researchers say could allow hackers, or government surveillance agencies, to track users online.
 
Wall Street Journal Hacked Again
Hacked again. That’s the story at the Wall Street Journal this week as the newspaper reports that the computer systems housing some of its news graphics were breached. Customers not affected -- yet.
 
Dropbox for Business Beefs Up Security
Dropbox is upping its game for business users. The cloud-based storage and sharing company has rolled out new security, search and other features to boost its appeal for businesses.
 

Enterprise Hardware Spotlight
Watson Gets His First Customer Service Gig
Since appearing on Jeopardy, IBM's Watson supercomputer has been making a living using his super-intelligent knowledge base for business verticals. Now, Watson's been hired for his first customer service job.
 
Tablet Giants Apple and Samsung Feel the Heat
When a company saturates its home market with a once-hot product, expect it to pump up efforts elsewhere. Apple, for its part, is now pushing iPads to big corporations and the enterprise market.
 
Microsoft Makes Design Central to Its Future
Over the last four years, Microsoft has doubled the number of designers it employs, putting a priority on fashioning devices that work around people's lives -- and that are attractive and cool.
 

Mobile Technology Spotlight
T-Mobile Calls 'BS' on AT&T's New Promotion
While Verizon Wireless is moving to throttle bandwidth hogs, a scrappy T-Mobile is taking on the giants with a limited-time promotion it hopes will drive up the churn rates of its wireless rivals.
 
Microsoft Update to Windows Phone 8.1 Already Coming
An update to Windows Phone 8.1 is on the way just weeks after the release of the product itself. Microsoft has begun detailing some of the update features to phone manufacturers.
 
Stanford Researchers Report Battery Breakthrough
Stanford researchers have found a way to use lithium in a battery's anode, a breakthrough that could triple capacity and has been described as the "holy grail of battery science."
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.